intent verification (1)

7/31/2019 Intent Verification (1)

1/40

Have I Designed What I Wanted?Intent Verification of Embedded Software

Partha P Chakrabarti

Indian Institute of Technology Kharagpur


2/40

Designing Electronic / Embedded Systems


3/40

Caar: Birds Eye View

3


4/40

Automotive ECS Functions

Powertrain control functions Engine control for fuel efficiency Hybrid System, Hard Real Time (micro-,milliseconds)

Chassis control Braking, Steering, Stability

ABS,ESP, By-wire Hybrid System, Hard Real Time(milliseconds)

Body electronics Lights, doors, windows, dashboard, seats, mirrors Discrete, Reactive (seconds)

Telematics Navigation, infotainment , remote vehicle diagnostics Hands-free phone, radio, CD, DVD


5/40

Automotive Controller Architecture

ECU

S S A

ECU ECU

S A

ECU

S SA

low speed bus (e.g. CAN)

ECU

S A AS A S S

sensor/actuator bus (e.g. LIN)

gateway

high speed bus (e.g. CAN)

ECU

S A A

ECU

S A

ECU

S A A

ECU

S A A

ECU

S A A

ECU

S A A

safety critical bus(e.g. FlexRay)


6/40

Fault-tolerant Automotive ECS Architecture


7/40

Computational Features

Reactive systems Non-termination is a good behavior!

Hybrid systems Discrete controller for continuous environments

Real-time systems Not only right output but at right time Hard and Soft Deadlines

High degree of reliability

Protection from HW failures and SW bugs SW notorious for bugs

High integrity, safety-critical systems Lack of standards and inspections (unlike avionics) ISO 26262 is just emerging


8/40

Design Intent Specification & Verification


9/40

9

Architectural SpecificationExample: Priority Arbiter

r1

r2

g1

g2

The system requires to arbitrate between requests r1and r2 and provide grants g1 and g2 in such a way

that r2 is default but r1 is given higher priority over r2.Mutual exclusion must be guaranteed.


10/40


11/40

Specification of Fuel Controller Unit


12/40

High-Level Functional and Timing Specification

Functional Specification

Timing Requirement


13/40



14/40

Next Level Specification: Fuel Rate Controller


15/40

Adaptive Cruise Control

15


16/40



17/40

Layered Verification of Design Intent

Architecture Level:Consistency (Satisfiable),Realizability (Implementable),Completeness (Coverage)

Block-Component level:Design Intent Coverage: Do theSub-Block or Component Level

Properties together imply theArchitecture or Block LevelProperties?

State to Block Level:Model Checking to see if thestate properties andinteractions combine to meetthe block level properties

Code level:Testing and SoftwareVerification Methods to checkwhether the implemented codemeets properties of macro-

states.

Logic Foundations of Intent Specification:


18/40

Logic Foundations of Intent Specification:Temporal Logic

Temporal operators:

Gp

Fp

Xp

pUq

Path quantifiers: A for all path

E there exists a path


19/40


20/40


21/40

21

Priority Arbiter: Properties

r1

r2

g1

g2

Whenever r1 is asserted, g1 is given in the next cycle

When r2 is the sole request, g2 comes in the next cycle

When none of them are requesting, the arbiter parks the granton g2

g1 and g2 can not be true at the same time (mutual exclusion)


22/40

22

An Example: Priority Arbiter

r1

r2

g1

g2

Either g1 or g2 is alwaysfalse (mutual exclusion)

G[g1 g2]

Whenever r1 is asserted, g1 is given in the next cycle

G[ r1 Xg1 ]

When r2 is the sole request, g2 comes in the next cycle

G[ (r1 r2) Xg2 ]

When none are requesting, the arbiter parks the grant on g2

G[ (r1 r2) Xg2 ]


23/40

Automotive Properties in Temporal Logic

When brake is applied, the car immediately decelerates

G[ brake X decel ]

When brake is applied, the car begins to decelerate within 200msG[ brake F200 decel ]

When brake is pressed, then car decelerates within 200milliseconds by either throttle adjustment or brake adjustment.

G[ brake F x (throttle_adj brake_adj) ]

G[ throttle_adj F y decel ]

G[ brake_adj F z decel ] (x+ y 200) (x + z 200)

If brake is pressed for more than 3 seconds the car stops.

G[ brake U 3000 brake F3000 stops ]


24/40

Architectural Verification of Design Intent

ArchitectureLevel:

Consistency

(Satisfiable)

Realizability(Implementable)

Completeness(Coverage)

Time Budgeting


25/40

25

Realizability

Consider our priority arbiter

Property:

Whenever the request r1 arrives,

the grant g1 must be given exactly in the next cycle

Suppose the designer is tempted to write this as

G[ r1 X(g1) X X( g1)]

This property is satisfiable, -- consider input sequenceswhere r1 is never asserted

It is not realizable for input sequences where r1 is assertedfor two consecutive cycles

r1r2

g1g2


26/40

Valid Region Checking

Given a formula F, we want to find the region for which it is valid(that is, it always holds true).

G[ brake F x (throttle_adj brake_adj) ]

G[ throttle_adj F y decel ]

G[ brake_adj F z decel ] (x+ y 200) (x + z 200)

x1

x2

x1 Valid

Not Validx2

C


27/40

The Design Intent Coverage Problem

Ti B d t V lid ti P bl


28/40

Time Budget Validation Problem

Time-Budgeting: What values of x, y, w, z are good-enough?

Real-timeSpecifications

Given a set of features and their real-time requirements & a set of

components and their parametric-time requirements for implementingthese features

Propose Early stage Time-Budgeting MethodologyFind constraints over parameter values and check viabilityDesign space exploration to select suitable valuation

E d t E d Ti i L t S ifi ti


29/40

End-to-End Timing Latency Specification

AC CCont rol ler

Y aw ra te ,La t acce l ,V eh speed,Act ge ar, . .

Acc. Pedal ,

b rakepeda l ,s t eer ingwh eel , ..

Radar / L idar

yy y

aaa

bb b

Objectde tec t ion

V eh ic le P athE s t imat ion

Forward LaneDetec t ion

th ro t t l e

Enable/DisableIn te r f ace

Hapt i c sea t

brak ing

HMI ou tpu t

End-t o-End Lat ency < 100 m s

Sensors Ac tua to rs

D i V ifi ti Th h M d l Ch ki


30/40

Design Verification Through Model Checking


31/40

31

Model Checking

MC

G(p F q)yes

nop

q

p

q

temporal formula

finite-state model

algorithm

counterexample

The State Explosion Problem


32/40

32

The design consists of a set of concurrent state machines

If module Mi has ki states, then the product state machine, M1 || M2|| || Mn has k1x k2 x x kn states

For model checking global properties of the system, we need theproduct state machine

The State Explosion Problem

1 2

a

b

c

1a 2b 1c

2c 1b 2a

Product FSM

Planning as Intent Verification:


33/40

33

gGame Theoretic Approach to Reasoning

Env

action

Env

action

Controlactions

(interleaved)

Env

action

Safe & stable state, no applicable control actions

Unstable state, control actions applicable

Unsafe state, no applicable control actions

Controlactions(interleaved)

Modular Testing & Coverage Analysis


34/40

Modular Testing & Coverage Analysis

Notion of Coverage or Completeness


35/40

35

Notion of Coverage or Completeness

p, q, r

p, q, rp, q, r

p, q, r

What is the coverage of(p U q) on this model?

S1

S2S3

S4

p

Still (p U q) passes!!

S4 is not covered

with respect to p

Is S4 covered

with respect to p?

Flip p at S4

Design Team

Property RefinementAnd Coverage Flow


36/40

36

SpecificationDesign

Model Checker

Coverage Estimator Correct the Design

Property Refinement

Refined Property

Design Team

Validation

Correct Incorrect

Identify theportion of thedesign whereit holds

Property IncorrectNot a

correctness

property

Property correct

Refine Specwith theproperty

Add the negation

of the property

And Coverage Flow

Emerging Trends in Design Verification


37/40

Emerging Trends in Design Verification

Modeling Open Systemswith EnvironmentalInteractions

Fault Tolerance Analysis ofBehavioural Specifications

Specification and Analysisof Critical DesignParameters like Power,Reliability

Design Space Explorationand Metrics from Integrated

Specifications

Fast ImplementationVerification using results ofdesign intent verification

Dimensions of the Grand Challenge


38/40

38

Dimensions of the Grand Challenge

System

Type Formalspecs

CoreProblems

Discrete Systems

Continuous Systems

Hybrid Systems

Boolean Logic

Temporal Logic

FSM

Equations

Hybrid Automata

Satisfiability

Formal coverage

Synthesizability

Model Checking

We encounter the sameissue in Building Design,Bridge Design, MaterialsDesign, Biological Design,with multi-dimensional,multiphysics modelling.

Summary


39/40

Summary

Design Intent Verification is key to correct and complete

specification and an important step forward in the correct byconstruction approach.

A new set of mathematical modelling techniques and analyticaltools based on a combination of logic and optimization areemerging as the foundational methodology.

New methods transcend functional and timing correctness andare able to assess important design requirements like power,reliability, robustness, safety, etc.

Issues of scalability are being handled by smart knowledgeintensive methods of artificial intelligence, data mining and mixed-

boolean-integer-programming techniques.

These approaches can be extended in other domains using asimilar philosophy.

We need more multi-disciplinary interaction for addressing someof the core challenges.


40/40

Thank you for listening

Please feel free to ask questions

intent verification (1)

Documents